Threat Intelligence Blog

Weekly Threat Intelligence Brief: May 22, 2018

Posted May 22, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Defense

“The Army is undergoing a change to its cyber and electronic warfare personnel. Announced last year, the service will transition its cadre of electronic warfare soldiers into the service’s cyber branch, effectively making them cyber planners. The main Army leader heading the effort equated the split in cyber/EW personnel going forward to the division within the special operations forces community. Effective October 1 of this year, the EW workforce will transition to the cyber branch and will go through a series of mobile training teams that are teaching them how to do planning in the cyber domain. Anyone new entering the electronic warfare force after that will first go through cyber training at Fort Gordon and then will move to specific training in conducting operations in and through the electromagnetic spectrum. This is all part of a new construct the Army is instituting to insert cyber and electromagnetic activities cells organically within brigade combat teams to provide commanders with planning in those domains.”

Technology

“A newly discovered malware family capable of credential theft, cryptomining, click fraud, and other nefarious actions has already infected over 100,000 computers. Dubbed Nigelthorn because it abuses a Google Chrome extension called Nigelify, the malware is propagating via socially-engineered links on Facebook. The group behind the campaign has been active since at least March 2018 and has already managed to infect users in 100 countries. Victims are redirected to a fake YouTube page that asks them to install a Chrome extension to play the video. Once they accept the installation, the malicious extension is added to their browser, and the machine is enrolled in the botnet. The actor behind the campaign uses the Bitly URL shortening service when redirecting victims to Facebook to trick users into revealing their login credentials. Based on statistics from Bitly and the Chrome web store, Radware determined that 75% of the infections occurred in the Philippines, Venezuela and Ecuador, with the remaining 25% distributed over 97 other countries. In order to bypass Google’s validation checks, the malware developers created copies of legitimate extensions and injected a short, obfuscated malicious script into them, to start the malware operation. The Nigelthorn malware itself is focused on stealing Facebook login credentials and Instagram cookies. It also redirects users to a Facebook API to generate an access token that is then sent to the C&C. The stolen credentials are used for propagation, to spread the malicious link to the user’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts. Should any of the victim’s contacts click on the link, the infection process is repeated.”

Legal, Lititgation, and Regulatory Risk

“South Korean prosecutors have raided the offices of a cryptocurrency exchange. In a statement posted on its homepage, the exchange confirmed it was being investigated by prosecutors and was cooperating with authorities. The exchange stressed that all customer services were available and that their accounts safe. Prosecutors are investigating whether the company defrauded customers by claiming it had cryptocurrency and electronic wallets that it didn’t have. This is the most high-profile raid on a cryptocurrency exchange to date in the country, but not the first. Last month, prosecutors arrested the boss of a separate exchange over alleged embezzlement and fraud. The government earlier ruled out a total ban on cryptocurrency after the market heated up but vowed for more transparency in dealing with cryptocurrency.”

Insurance & Healthcare

“The Department of Homeland Security has yet again issued a warning about cybersecurity vulnerabilities in medical devices. These warnings have come after independent researchers, or the companies themselves, have reported the problems. The two latest alerts from DHS’s Industrial Control Systems Emergency Response Team warn of the risk that flaws could be exploited by attackers to obtain unauthorized access to systems or to modify settings. They deal with vulnerabilities in some wireless electrocardiogram products from Silex Technologies and GE Healthcare, and vulnerabilities in certain computed tomography, or CT, systems from Philips.”